High severityNVD Advisory· Published Oct 26, 2022· Updated May 7, 2025

The Apache Linkis JDBC EngineConn module has a RCE Vulnerability

CVE-2022-39944

Description

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Linkis <=1.2.0 with MySQL Connector/J has a deserialization vulnerability allowing remote code execution via malicious JDBC URL parameters.

Vulnerability

Description In Apache Linkis versions up to and including 1.2.0, when used with the MySQL Connector/J, a deserialization vulnerability exists. The root cause is that parameters in the JDBC URL are not sufficiently blacklisted, allowing an attacker to inject malicious serialized data that gets deserialized by the MySQL Connector/J [2].

Exploitation

Prerequisites An attacker must have write access to a database and the ability to configure a JDBC EngineConn (EC) with a MySQL data source and malicious parameters. No additional authentication is required beyond the database write access [2].

Impact

Successful exploitation can lead to remote code execution (RCE). An attacker can execute arbitrary code on the server hosting Apache Linkis, potentially compromising the entire system [2].

Mitigation

The vulnerability is fixed in Apache Linkis version 1.3.0, where JDBC URL parameters are blacklisted to prevent deserialization attacks. Users are strongly recommended to upgrade to 1.3.0 or later [2].

References

NVD - CVE-2022-39944

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.linkis:linkisMaven	< 1.3.0	1.3.0

Affected products

ghsa-coords
pkg:maven/org.apache.linkis/linkis
Range: < 1.3.0
Apache Software Foundation/Apache Linkisv5
Range: Apache Linkis

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-3f3w-gmqf-4hj3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-39944ghsaADVISORY
lists.apache.org/thread/rxytj48q17304snonjtyt5lnlw64gcccghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000